Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other agreement governing Customer's use of Tembo's services (the "Agreement") between Tembo Data Systems, Inc., a Delaware corporation ("Tembo", "Processor", "we", "us", or "our") and the entity agreeing to these terms ("Customer", "Controller", "you", or "your").

This DPA applies where and only to the extent that Tembo processes Personal Data on behalf of Customer in the course of providing the Service, and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area, the United Kingdom, or Switzerland.

1. Definitions

"Controller" means the entity that determines the purposes and means of the Processing of Personal Data.

"Customer Personal Data" means any Personal Data that Tembo Processes on behalf of Customer in providing the Service under the Agreement.

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, and any other applicable data protection legislation.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

"Processing" (and "Process") means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Processor" means an entity that Processes Personal Data on behalf of a Controller.

"Service" means Tembo's AI coding agent platform and related services as described in the Agreement.

"Standard Contractual Clauses" or "SCCs" means the contractual clauses adopted by the European Commission for the transfer of Personal Data to third countries.

"Subprocessor" means any third party engaged by Tembo to Process Customer Personal Data.

2. Processing of Customer Personal Data

2.1 Roles of the Parties

The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and Tembo is the Processor.

2.2 Customer Obligations

Customer shall: (a) comply with its obligations under Data Protection Laws in respect of its Processing of Customer Personal Data; (b) ensure that its instructions to Tembo comply with Data Protection Laws; and (c) have obtained all necessary consents and rights to enable Tembo to lawfully Process Customer Personal Data for the purposes contemplated by the Agreement.

2.3 Tembo Obligations

Tembo shall: (a) Process Customer Personal Data only in accordance with Customer's documented instructions, unless required by applicable law; (b) inform Customer if, in Tembo's opinion, an instruction infringes Data Protection Laws; (c) ensure that persons authorized to Process Customer Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality; and (d) comply with all applicable Data Protection Laws in the Processing of Customer Personal Data.

3. Details of Data Processing

3.1 Subject Matter and Duration

Tembo will Process Customer Personal Data for the duration of the Agreement to provide the Service. The subject matter of Processing is the provision of Tembo's AI coding agent platform, which includes autonomous background agents for software development tasks, code analysis, issue tracking integration, and related services.

3.2 Nature and Purpose of Processing

Tembo Processes Customer Personal Data to: (a) provide and operate the Service; (b) clone repositories and execute AI coding agents in sandboxed environments; (c) generate code changes and pull requests; (d) integrate with third-party services (GitHub, GitLab, Bitbucket, Linear, Jira, Slack, Sentry) as directed by Customer; (e) provide customer support; and (f) comply with applicable laws.

3.3 Categories of Personal Data

The Personal Data Processed may include: names, email addresses, usernames, IP addresses, and any Personal Data contained within source code, documentation, issues, or communications that Customer submits to the Service.

3.4 Categories of Data Subjects

Data Subjects may include: Customer's employees, contractors, end users of Customer's products, and any individuals whose Personal Data is contained within Customer's repositories or systems.

4. Security

4.1 Security Measures

Tembo shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: (a) encryption of Personal Data in transit and at rest; (b) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems; (c) measures to restore availability and access to Personal Data in a timely manner in the event of an incident; (d) regular testing and evaluation of the effectiveness of security measures; and (e) SOC 2 Type 1 certification with commitment to annual third-party penetration testing.

4.2 Personnel Security

Tembo shall ensure that personnel with access to Customer Personal Data: (a) are informed of the confidential nature of the Personal Data; (b) have received appropriate training on their responsibilities; and (c) are bound by confidentiality obligations that survive termination of their engagement.

5. Subprocessing

5.1 Authorized Subprocessors

Customer provides general authorization for Tembo to engage Subprocessors to Process Customer Personal Data. Tembo's current Subprocessors include: Amazon Web Services (AWS) for infrastructure and hosting; Anthropic for AI model inference (with zero data retention); LangFuse for AI process tracing; Sentry for exception tracking; Stripe for billing; and Clerk for authentication.

5.2 Subprocessor Obligations

Tembo shall: (a) enter into written agreements with Subprocessors imposing data protection obligations no less protective than those in this DPA; (b) remain liable for Subprocessor compliance; and (c) maintain a current list of Subprocessors available upon request.

5.3 Changes to Subprocessors

Tembo shall notify Customer of any intended changes to Subprocessors at least fourteen (14) days in advance. Customer may object to such changes on reasonable grounds relating to data protection. If Customer objects and no resolution is reached, Customer may terminate the Agreement.

6. Data Subject Rights

Tembo shall assist Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, data portability, and objection. Tembo shall promptly notify Customer of any request received directly from a Data Subject and shall not respond to such request except as authorized by Customer or required by applicable law.

7. Personal Data Breach

7.1 Notification

Tembo shall notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate number of Personal Data records affected; (d) the likely consequences of the breach; and (e) measures taken or proposed to address the breach.

7.2 Cooperation

Tembo shall cooperate with Customer and provide reasonable assistance in investigating and mitigating the Personal Data Breach, and in Customer's compliance with any notification obligations under Data Protection Laws.

8. Data Protection Impact Assessment

Tembo shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under Articles 35 and 36 of the GDPR or equivalent provisions of other Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by Tembo.

9. Deletion and Return of Data

Upon termination of the Agreement or upon Customer's written request, Tembo shall delete or return all Customer Personal Data in its possession within thirty (30) days, except to the extent that retention is required by applicable law. Tembo certifies that Customer Personal Data will be permanently and securely deleted and will not be used for any purpose, including training AI models.

10. Audit Rights

Upon Customer's reasonable request and subject to appropriate confidentiality obligations, Tembo shall make available to Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer. Tembo may satisfy this obligation by providing: (a) SOC 2 Type 1 reports and other third-party audit reports; (b) responses to reasonable written security questionnaires; or (c) upon reasonable advance notice and at Customer's expense, on-site or remote audits during business hours.

11. International Data Transfers

11.1 Transfer Mechanisms

Customer acknowledges that Tembo is based in the United States and that Customer Personal Data may be transferred to, stored, and Processed in the United States. To the extent such transfer requires an appropriate safeguard under Data Protection Laws, Tembo shall rely on the Standard Contractual Clauses or other lawful transfer mechanisms as appropriate.

11.2 Standard Contractual Clauses

The parties agree that the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) adopted by Commission Implementing Decision (EU) 2021/914 shall apply to transfers of Customer Personal Data from the EEA to Tembo in the United States. By entering into this DPA, the parties are deemed to have executed the Standard Contractual Clauses with Customer as the "data exporter" and Tembo as the "data importer."

11.3 UK and Swiss Transfers

For transfers of Customer Personal Data from the United Kingdom, the UK Addendum to the EU SCCs shall apply. For transfers from Switzerland, the SCCs shall apply with the modifications required by Swiss data protection law.

11.4 Infrastructure Location

Tembo does not maintain any infrastructure in China or other jurisdictions of concern. All infrastructure is located in trusted regions with appropriate data protection standards.

12. General Terms

12.1 Order of Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Customer Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

12.2 Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

12.3 Governing Law

This DPA shall be governed by the laws specified in the Agreement, except that the Standard Contractual Clauses shall be governed by the laws specified therein.

12.4 Severability

If any provision of this DPA is found to be unenforceable, the remainder shall continue in full force and effect.

13. Contact

For questions about this Data Processing Addendum or to exercise data protection rights, please contact us at: privacy@tembo.io

Tembo Data Systems, Inc.
2900 Reading Road, Suite 310
Cincinnati, Ohio 45209
United States